name: Container Vulnerability Scan
on:
  schedule:
    - cron: "0 4 * * *"
  workflow_dispatch:

permissions: read-all

jobs:
  container-scan:
    if: github.repository_owner == 'cilium'
    name: Scan Containers
    runs-on: ubuntu-22.04
    continue-on-error: true
    strategy:
      matrix:
        image: [
          {name: cilium, dockerfile: ./images/cilium/Dockerfile},
          {name: clustermesh-apiserver, dockerfile: ./images/clustermesh-apiserver/Dockerfile},
          {name: docker-plugin, dockerfile: ./images/cilium-docker-plugin/Dockerfile},
          {name: hubble-relay, dockerfile: ./images/hubble-relay/Dockerfile},
          {name: operator-generic, dockerfile: ./images/operator/Dockerfile},
        ]
        branch: [v1.12, v1.13, v1.14, v1.15]
        include:
          - image: {name: kvstoremesh, dockerfile: ./images/kvstoremesh/Dockerfile}
            branch: v1.14
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: ${{ matrix.branch }}
          persist-credentials: false
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
      - name: Build local container
        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
        with:
          context: . 
          tags: ${{ matrix.image.name }}:${{ matrix.branch }}
          push: false
          load: true
          file: ${{ matrix.image.dockerfile }}
          build-args: |
            OPERATOR_VARIANT=${{ matrix.image.name }}
      - name: Scan image
        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
        with:
          image: ${{ matrix.image.name }}:${{ matrix.branch }}
          output-format: table
          severity-cutoff: critical
